Privacy
Safe!hints is our whistleblowing system. Employees, customers, business partners, and others with information can use safe!hints to report suspected violations of laws and internal rules to the internal reporting body. Safe!hints is part of our compliance management system.
Who is the controller responsible for data processing?
The controller responsible for the processing of your personal data (the “organization”) is:
Rottendorf Pharma GmbH, Ostenfelder Str. 51-61, 59320 Ennigerloh, Germany, info@rottendorf.com; represented by Marco Niemann and Erich Scheibner.
In keeping with our legal obligations, we have appointed a data protection officer. You can contact this person at any time with any questions you may have about data protection and/or privacy. You can reach our data protection officer by mail at the address above, adding “Attn.: Data Protection Officer,” or by e-mail at datenschutz@rottendorf.com.
What data are processed?
Using safe!hints is voluntary.
When violations are reported via safe!hints, personal data (such as name, contact details, photos, matter being reported, etc.) on
- the person making the report (the whistleblower), and
- the person who is the subject of the report (reported person)
- and the other persons mentioned in the report (such as witnesses and/or third parties)
that are entered in the relevant report form are processed.
For what purpose and on what legal basis do you process my data?
The data mentioned above are processed for the purpose of detecting and preventing serious abuses and preventing and defending against especially drastic or even existential legal consequences, damage and/or losses that may be incurred by our organization (criminal prosecution, claims for damages, harm to our image, supervisory measures) and/or employees.
The legal basis for the processing is the fulfilment of a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR in conjunction with. § 10 HinSchG. In the case of a notification under the LkSG, the processing is lawful because it is necessary for the fulfilment of a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR i.V.m. § 8 LkSG is required.
Who receives my data?
As part of the audits, investigations and remedial measures to be taken, it may be necessary to transmit information on a reported incident to external advisors (e.g. legal advisors) or to the competent authorities. Personal data will only be disclosed if this is permitted under Section 9 HinSchG.
The infrastructure of the system, including websites and database, is operated by Biehn & Professionals GmbH, Wiesenstraße 32, 33397 Rietberg-Mastholte, Germany, on our behalf in accordance with Art. 28 GDPR, which in turn uses a specialised software subcontractor. Biehn & Professionals GmbH is contractually obliged to maintain strict confidentiality and to comply with all data protection requirements.
What are my data protection and privacy rights?
Upon request, you have the right to receive access to information, free of charge, on the personal data concerning you that are stored, the origin and recipient(s) thereof, and the purpose of data processing. Where we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds relating to your particular situation (right to object). In addition, you have the right to rectification of inaccurate personal data, the right to erasure of personal data, the right to restriction of processing of personal data, and the right to data portability. You can contact us anytime with regard to these rights and/or any further questions you may have on the subject of personal data. Finally, you have the option to lodge a complaint with the supervisory authority if you believe the processing of your data violates data protection or privacy laws or that your claims under these laws have otherwise been violated in any way.
How long are the personal data stored?
Personal data is stored for as long as required for clarification and final assessment or as required by law. The information and reports are deleted in accordance with the legal requirements 3 years after completion of the procedure.